Note: This is an archival copy of Security Sun Alert 200454 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000335.1.
Article ID : 1000335.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-01-22
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the tip(1) Command May Allow Execution of Arbitrary Code With Elevated Privileges



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
4706048

Date of Resolved Release
23-JAN-2007

Impact

Security vulnerabilities in the tip(1) command may allow a local unprivileged user the ability to execute arbitrary code with the privileges of user uucp(uid 5).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 111504-02
  • Solaris 9 without patch 123368-01
  • Solaris 10 without patch 124997-01

x86 Platform

  • Solaris 8 without patch 111505-02
  • Solaris 9 without patch 123369-01
  • Solaris 10 without patch 124998-01

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with the privileges of the uucp(uid 5) user.


Workaround

To work around the described issue, remove the set-user-ID bit from the "tip" binary by issuing the following command:

    # chmod u-s /usr/bin/tip

Note: removing the set-user-ID bit from the "tip" binary will prevent unprivileged users from using the "tip" command to access calling devices (like modems).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 111504-02 or later
  • Solaris 9 with patch 123368-01 or later
  • Solaris 10 with patch 124997-01 or later

x86 Platform

  • Solaris 8 with patch 111505-02 or later
  • Solaris 9 with patch 123369-01 or later
  • Solaris 10 with patch 124998-01 or later


References

111504-02
111505-02
123368-01
123369-01
124997-01
124998-01




Attachments
This solution has no attachment